09-25-2009 09:25 PM
Hi there experts,
I am having an issue with the ez vpn that i configured on the 2811 we just newly bought. Actually the thing is that i fully configured it ie ezvpn. It does work, i mean i do have my IKE phase 1 and 2 fully negotiated and it gets to the secure channels and all that it does when ever i connect with my cisco vpn client software. But the issue is that i can't access anything in my LAN i can only ping through to my LAN interface but anything beyond my lan interface i just can't. Please find below the config.
version 12.4
no service pad
!
hostname wisertr
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.124-3g.bin
boot-end-marker
!
aaa new-model
!
aaa authentication login wisegroup_DB local
aaa authentication login wisegroupvpnclient local
aaa authorization exec wisegroup_DB local
aaa authorization network wisegroup local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
ip cef
!
no ip bootp server
ip domain name wise.com
ip name-server 198.6.1.2
ip name-server 172.16.1.252
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
!
crypto isakmp client configuration group WISE_REM_VPN
key sup3rs3cr3t
dns 198.6.1.2 172.16.1.252
wins 172.16.1.252
domain wisegroupng.com
pool wisepool
save-password
include-local-lan
max-logins 5
acl SPLITREMOTE
!
!
crypto ipsec transform-set WISEREM_VPN esp-aes esp-sha-hmac
!
crypto dynamic-map WISEVPN_dynmap 10
set transform-set WISEREM_VPN
!
!
crypto map wisemap client authentication list mrsvpnclient
crypto map wisemap isakmp authorization list mrsgroups
crypto map wisemap client configuration address respond
crypto map wisemap 1000 ipsec-isakmp dynamic wisevpn_dynmap
!
!
!
interface FastEthernet0/0
description LAN_INT
ip address 172.16.1.7 255.255.255.0
ip nat inside
duplex half
speed 100
!
interface FastEthernet0/1
description WAN_INT
ip address 217.xx.xx.xx 255.255.255.248
ip nat outside
duplex full
crypto map wisemap
!
ip local pool wisepool 10.10.11.20 10.10.11.30
ip classless
ip route 0.0.0.0 0.0.0.0 217.xx.xx.xx
!
ip nat inside source list NAT_ADDRESS interface FastEthernet0/1 overload
!
ip access-list extended NAT_ADDRESS
deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 172.16.0 0.0.0.255 any
ip access-list ext SPLITREMOTE
permit ip 172.16.1.0 0.0.0.255 any
end
Please i need to know what is the wrong thing i am doing that i can't reach my lan only the LAN interface of my router that i could ping from the remote system. I am having the feeling that it's a routing issue but then i can't say. I Also intend configuring a s2s vpn to with same router and interface. Please advise!
09-26-2009 06:56 AM
modify the SPLITREMOTE tunnel acl and try again, it should be as:
deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 any
09-27-2009 04:19 AM
Hi Jorgemcse,
Thank you for your response i would try it and sure do get back to you! I appreciate!
Thanx
Teddy
09-27-2009 05:29 PM
Hi Jorgemcse!
Just to let you know that i added the acl as you said still wasn't able to reach my lan. Please any other suggestions. Like i said i am able to ping across my router Lan interface but to ping beyond the router LAN interface is where the problem lies! I do appreciate you suggestion earlier and do look out for more!
Thanx
Teddy
11-12-2009 09:48 PM
Hi, I think you should to make sure if traffic went through vpn tunnel firstly when you ping beyond the router lan interface. you can check by "show crypto ipsec sa", or even "debug ip packet acl".
If packet already reach router through vpn tunnel and did go out, then you should check gw of pc in your lan. if not reaching router at all, you should sniffer on your vpn client, or check its route table, to see why traffic cannot go into vpn tunnel.
11-14-2009 08:09 PM
Hi,
Well i am not sure why were you suggested to modify the SPLITREMOTE tunnel acl to make it as:
deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.255 any
With the above suggested acl you are in a way denying the tunnel traffic from client to the router.
I have reviewed the configuration , it appears to be good. As a quick troubleshooting i would suggest this:
ip access-list ext SPLITREMOTE
permit ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255
## By taking destination as ANY in the SPLITREMOTE you are no way splitting the tunnel traffic ##
Assuming that client talks to the LAN interface of router through the tunnel.
As a quick test , you can connect host to router and add a route using the Windows command prompt
## route ADD 10.10.11.0 mask 255.255.255.0 172.16.1.7 ##
Please do let me know how it goes...
Regards
M
11-15-2009 01:15 AM
Hi,
I think the Splitremote Tunnel ACL should be:
ip access-list ext SPLITREMOTE
permit ip 10.10.11.0 0.0.0.255 172.16.1.0 0.0.0.255
11-15-2009 06:44 AM
No, the access-list would be with a source of 172.16.1.x and destination 10.10.11.x
I know why you might be thinking it the other way because it is used under the client configuration. But its
not that way.
When you configure a s2s VPN tunnel, you configure ACLs for crypto on both VPN terminating end devices, which
are mirror image of each other.
For example:
local subnet on Site A is 10.10.11.x
Local Subnet on Site B is 172.16.1.x
On Site A
you will specify acl as
10.10.11.x >>> 172.16.1.x
On Site B ,
172.16.1.x >>> 10.10.11.x
Now,when you create a Dynamic Ipsec VPN .
You create crypto ACL , ONLY on the site with Dynamic IP address for the remote site with Static ip on it.
So, if Site B has a static public ip address of aa.aa.aa.bb and remote Site A is on dynamic ip...
Then a dynamic acl on site B will be created on its own when tunnel is negotiated from Site A .
Same is the case with Remote VPNs, they are dynamic Peers, when you make a VPN connection , all attributes under
the client configuration are pushed to the clients, a mirror image of the ACL (i.e configured under client
configuration) would be learnt by the client on its end, which in turn will take the LAN subnet behind router
as the tunnel destination and hence you will add a route in the client's routing table.
As a quick recreate you can configure dynamic Ipsec between 2 VPN devices and on the static end , once the VPN is up execute the command
show crypto ipsec sa and
you will find that your VPN device (on static ip) had learnt a VPN acl i.e reverse of what is defined on the dynamic site.
Hope this helps.
Regards
M
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide